Author Topic: Hack of Sigllent spectrum analyzer ssa3021X?  (Read 203041 times)

0 Members and 2 Guests are viewing this topic.

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 3102
  • Country: cn
  • Born with DLL21 in hand
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #200 on: January 03, 2017, 09:41:15 am »
Hi,
yes upgrade is still possible  ;)- red in thread before.
Regards
Might a new guide for dummies be required ?

I'm one and I'd have no idea where to start.  :scared:
I've read this forum several times and as is started in this post we, yes me as well, need a upgrade for dummies step by step guide. It's confusing to read to replace ecomb from 8 with the one from 7 and then what?? You can now roll back upgrades? That's great if I read that correctly but chances are high I didn't. There are some pretty incredibly talented users in this form and if one or a few could help those of us who need the upgrades for dummies methods I think we and everyone else who is trying to do the upgrade and failing or just afraid to try would be very grateful.

Does please and thank you work?  :-+

You have not read.
This message is mandatory to read:

https://www.eevblog.com/forum/testgear/hack-of-sigllent-spectrum-analyzer-ssa3021x/msg1069844/#msg1069844

self-censorship: <deleted funny paragraph>
« Last Edit: January 03, 2017, 11:16:48 am by rf-loop »
If practice and theory is not equal it tells that used application of theory is wrong or the theory itself is wrong.
-
Harmony OS
 

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 699
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #201 on: January 03, 2017, 09:57:38 am »
As far as I know, so far nobody has been able to run a "proper" update after the manual "downgrade" from F/W 8.01 to 7.07 by just exchanging the "ecomb" application file. Since most (all??) of those who contributed to the "DIY improvements" of the instrument so far own older machines that initially had FW 7.0x installed and thus have the options and full bandwidth active allready, there won't be much motivation for them for further experimentation.

To "properly" hack a machine that came with F/W 8.01, the script of the 7.07 -> 8.01 update would have to be analyzed and checked if all the steps that are executed in there could be reversed. Only if this is possible, a downgrade to 7.0x would be an option that permits that application of the "old" hack and re-update to 8.01 with the standard update file.

I showed a method to enable the "test mode" with all the options, full frequency range and even 3MHz and 1Hz RBW active. I'm pretty sure that Siglent will lock this hole with the next F/W update. This modification and also the reverse functionality could be easily put in a script. But I also think that those who tamper with their machines should be knowing what they are doing. There's always a risk of bricking the instrument when messing with it in such a way and in my opinion (others may have a different one...), some basic knowledge of the operating system and what's going on internally will be the best insurance from fatal (to the instrument that is) errors. And I guess the information found in this thread makes it almost as easy as it gets to apply the improvements. It's all within the last four pages of the thread.

Just noticed, rf-loop made it even easier for the newbies... So be sure to cut&paste and save a copy of his post before he deletes it again (as he told he will -- sorry, too late...).

Cheers,
Thomas
« Last Edit: January 03, 2017, 12:23:58 pm by TurboTom »
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 946
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #202 on: January 03, 2017, 10:34:09 am »
TurboTom is correct:

Onwers of devices shipped with FW prior to P08.01 have had the opportunity to hack their device and ENABLE the missing options. These stay enabled after the P08.01 upgrade, except 3MHz and 1Hz RBW.

On top of that, by removing/renaming the already mentioned files, the P08.01 firmware will assume that it is in manufacturer mode, where ALL OPTIONS are enabled for an unknown serial number.

Conclusion:

1) The hack is permanent for older devices (if done correctly).
2) The hack is temporary for all devices (including new devices shipped with P08.01) on FW P08.01.
3) Next FW will probably invalidate the easy P08.01 hack.

History of hacks:

1) A "werewolf mode" FW appeared by accident on SIGLENT.COM, that enabled all options (P05)
2) The Telnet login/password was discovered
3) It was discovered that the timed options could be made permanent by putting silly values in them (this would lead to a non-permanent hack upon P08.01 upgrade)
4) It was discovered that all options could be autorised by changing missing options status to TRUE
5) Siglent ceased using a simple file listing TRUE/FALSE on options and instead uses the corresponding activation keys starting with P08.01
6) It was discovered that deleting/renaming 4 files, all options get authorised by default - as the device behaves as a stock device without serial number

Conclusion:

1) Everyone right now can enable all options
2) If a newer FW is released, do not upgrade, if you want maintain the hacked status
3) Existing users with hacked device are not that keen to do experiments, as the machine costs 1500 Euro (+VAT) and can be damaged by doing so
4) Siglent may not be "hunting" the hackers but are certainly closing the doors enabling the hacks
5) Did the hack increase sales? I would say yes (at least that was a big motivation for me to get the device, as it made it much more attractive). Will Siglent be permissive because of that? Nobody knows!
6) If you cannot be bothered to read a thread with JUST 9 PAGES, then you are not in a position to demand anything!  ;)

Regards,
Vitor
 
The following users thanked this post: videobruce, nugglix, tefe

Offline lz1pro

  • Contributor
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #203 on: January 03, 2017, 07:30:55 pm »
Hello to all and Happy New Year!

I'm new in this forum. So I broke my new SSA3000X whit fw 08.01 .

After attempt to downgrade  to 7.07 whit copy file ecomb broke my NAND rootfs. The problem is on the screen I only see the Siglent logo and nothing happens after that.
I still have access via UART interface and U-boot.
Please, can anybody help to restore my NAND?

I have a backup copy of firmdata0 and /usr/bin/siglent/usr/backup/.

Regards
Yanko
 
« Last Edit: January 03, 2017, 07:38:02 pm by lz1pro »
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 946
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #204 on: January 03, 2017, 08:25:52 pm »
How did you break the NAND rootfs? Please give as much info as possible.

@all: Somewhere (can't remember) I uploaded a tool that extracts the firmware contents to an almost regular ZIP archive. You can then uncompress most of it.

Doing so will show you 2-3 shell batchfiles (*.sh), one is called "siglentlib.sh". It kind of shows what is done during the upgrade.

Since you can decompress any firmware version, you can i.e. compare the differences between the P07.07 and the P08.01 upgrade.

Hope this helps.

Regards,
Vitor

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 699
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #205 on: January 03, 2017, 11:22:56 pm »
@lz1pro

Could Siglent have a real problem here? Your failure mode appears very much similar to Jobber's: https://www.eevblog.com/forum/testgear/hack-of-sigllent-spectrum-analyzer-ssa3021x/msg1088378/#msg1088378 .
Yet, he reported that this happened on his instrument during the attempt to update from native 7.07 to 8.01. We should really keep an eye on this. Could it be possible that Siglent got hold of a series of faulty or counterfeit NAND flash chips? The error message is a clear indication of a faulty block in the NAND that should have been mapped out.
If your SSA is still in the warranty period, I would consider to have it replaced. It shouldn't be possible to trace your hacking attempts easily with this kind of error.

Good luck,
Thomas
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 16731
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #206 on: January 03, 2017, 11:32:44 pm »
@lz1pro

Could Siglent have a real problem here? Your failure mode appears very much similar to Jobber's: https://www.eevblog.com/forum/testgear/hack-of-sigllent-spectrum-analyzer-ssa3021x/msg1088378/#msg1088378 .
Yet, he reported that this happened on his instrument during the attempt to update from native 7.07 to 8.01. We should really keep an eye on this. Could it be possible that Siglent got hold of a series of faulty or counterfeit NAND flash chips? The error message is a clear indication of a faulty block in the NAND that should have been mapped out.
If your SSA is still in the warranty period, I would consider to have it replaced. It shouldn't be possible to trace your hacking attempts easily with this kind of error.

Good luck,
Thomas
Sadly this may not be the case, check the changelog for Version: P08.01:

5. After this firmware, do not support downgrade operation

http://www.siglentamerica.com/gjjrj-xq.aspx?id=4973&tid=15

This may be something we all need take note of.
Avid Rabid Hobbyist
 

Offline lz1pro

  • Contributor
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #207 on: January 04, 2017, 07:02:06 am »
How did you break the NAND rootfs? Please give as much info as possible.

@all: Somewhere (can't remember) I uploaded a tool that extracts the firmware contents to an almost regular ZIP archive. You can then uncompress most of it.

Doing so will show you 2-3 shell batchfiles (*.sh), one is called "siglentlib.sh". It kind of shows what is done during the upgrade.

Since you can decompress any firmware version, you can i.e. compare the differences between the P07.07 and the P08.01 upgrade.

Hope this helps.

Regards,
Vitor

It's a good idea to start play with "siglentlib.sh", but first I need to boot from an SD card to can access shell. I trying to find image to boot from SD card, but without success.
Any suggestion will be fine.

Regards,
Yanko
 

Online KeBeNe

  • Contributor
  • Posts: 34
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #208 on: January 04, 2017, 05:23:14 pm »

Hello,

I have the same problem as lz1pro with the hack, device was delivered with 8.01.

regards
 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 946
  • Country: pt
    • VMA's Satellite Blog
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #209 on: January 04, 2017, 05:59:34 pm »
Neither of you describe what you guys did that led to breaking the root filesystem!

Please explain step by step what you did and when your device broke.

It won't be easy to recover, as I at least have no idea how to boot, flash or install a new rootfs.

I think the answer is somewhere in the siglentlib.sh file. But I guess you need a working fs to start with.

In worst case scenario you need to JTAG the flash, but for that you need a flash dump. This again needs someone with a good device to open it (losing warranty ans risking damage), in order to dump the flash contents.

Perhaps there is an easier way, but I guess nobody knows how to do that.

Is there anything you can do from the serial shell?

Also, I agree with TurboTom: just request a repair under warranty claiming that this happens during a firmware upgrade...

Regards,
Vitor

Offline lz1pro

  • Contributor
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #210 on: January 04, 2017, 06:11:50 pm »
@KeBeNe
Hello here,
can you tell  when is done, after attempt to mount the rootfs or command like this "mount -o remount,rw /"?
It is will be helpful for another user that  tray to downgrade.
Hire is the link whit same problem on another device: http://linux-mtd.infradead.narkive.com/aO9xNZvZ/temporarily-remounting-rootfs-as-rw-leads-to-kernel-panic-on-reboot

Regards,
Yanko
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 18289
  • Country: nl
    • NCT Developments
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #211 on: January 04, 2017, 06:29:55 pm »
It is very important to use the 'sync' command before cycling power because otherwise data may not be written to the filesystem yet which leads to incomplete or missing files.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: ee
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #212 on: January 04, 2017, 06:36:12 pm »
Somewhere I posted 08.01 in zip format and decoded nsp_data_b too.
In img files I look with ubidump, maybe there is better utility for this.

08.01.zip firmware
 
The following users thanked this post: kado, fact

Online KeBeNe

  • Contributor
  • Posts: 34
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #213 on: January 05, 2017, 03:54:40 am »
Hello,

I've done,

-FW 7.07 (Siglent FW-tool + 7zip)
-ecomb from FW7.07 to usb stick
-SSA3021X connected via Telnet (Putty)
-Login: root, PW: ding1234 - all ok
- first, backup "cp -R /usr/bin/siglent /usr/bin/siglent/usr/mass_storage/U-disk0/SSA3021x_backup" -ok
- then "mount rootfs -o remount, rw" -ok
- "cd/usr/bin/siglent" -ok
- "cp/usr/bin/siglent/usr/mass_storage/U-disk0/ecomb" -ok
- "sync" -ok
- "mount rootfs -o remount, ro" -ok
- "shutdown -r" -ok
As far as everything ok, device makes a reboot, downgrade to 7.07 but still not possible.

I thought, I switch times and again, so a complete reboot, then the device stopped at "Siglent", no more start


regards René
« Last Edit: January 05, 2017, 04:10:20 am by KeBeNe »
 

Offline ExplodingLemur

  • Contributor
  • Posts: 6
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #214 on: January 05, 2017, 04:12:20 am »
Does anyone have the 7.07 firmware image converted to a zip file?  I want to compare the upgrade scripts.  I think an 8.01 device can be reverted to 7.07 with some manual file copies.
 

Offline ExplodingLemur

  • Contributor
  • Posts: 6
  • Country: us
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #215 on: January 05, 2017, 04:14:47 am »
KeBeNe, at this point can you still get a shell on the device?  If so I'll try to get you a set of instructions.
 

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 699
  • Country: de
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #216 on: January 05, 2017, 08:00:19 am »
I think when messing around with ecomb, it is mandatory to first stop this process since that's the main application that's running in background.

Type "ps [enter]" to show the processes that are currently running on the system. Note the process number of ecomb, let's assume it's 374.
To terminate the process, type "kill 374 [enter]". After this, repeat the "ps" command to make sure ecomb is no longer running.

After this, it should be less risky to copy / replace it but anyway, my own experiments with this didn't show any substantial use of it, at least as long as the "firmdata0 hack" is available. Actually, I would recommend to just leave the root FS mounted read-only and don't mess with it anymore (of course this wouldn't help those who already have a broken machine).

All the best,
Thomas
 
The following users thanked this post: rf-loop, KeBeNe, tautech, ExplodingLemur, DL4RAJ

Offline fact

  • Contributor
  • Posts: 28
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #217 on: January 05, 2017, 11:12:43 am »
@janekivi What utility do you use to convert the ADS-file to a fully extractable zip?
 

Offline lz1pro

  • Contributor
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #218 on: January 05, 2017, 02:30:12 pm »
Hi to all,

My SSA3000X is back to living. :)
So I want  to say BIG Thanks to TurboTom for help and support.
Thank you very much Thomas!

Regards,
Yanko
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 16731
  • Country: nz
  • Taupaki Technologies Ltd. NZ Siglent Distributor
    • Taupaki Technologies Ltd.
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #219 on: January 05, 2017, 02:43:02 pm »
Hi to all,

My SSA3000X is back to living. :)
So I want  to say BIG Thanks to TurboTom for help and support.
Thank you very much Thomas!

Regards,
Yanko
Nice.  :-+

It would be polite to further thank Tom, use the button.
Avid Rabid Hobbyist
 

Offline fact

  • Contributor
  • Posts: 28
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #220 on: January 05, 2017, 04:03:47 pm »
Experimenting with a 'clean" TI SD-card image gave this output:

Code: [Select]
P
U-Boot SPL 2013.01.01 (Jan 11 2016 - 14:14:06)
Start buzzer++
Stop buzzer--nand_init+++++
nand_init-----
>>spl_load_lcd_fpga++
LCD init()++
Lcd_Init()++
SetUpLCD()++
SetUpLCD()--
len=1228852, height=600, width=1024
Logo from nandflash: base=0x81000000; end=0x8112c01f; end-base=0x12c01f; rwsize=0x12c020; r=0x0
Lcd_Init()--
>>spl_load_lcd_fpga--


U-Boot 2013.01.01 (Jan 11 2016 - 14:14:06)

I2C:   ready
DRAM:  128 MiB
NAND:  256 MiB
MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
Using default environment

set_default_env::4309
Net:   <ethaddr> not set. Validating first E-fuse MAC
cpsw
Hit any key to stop autoboot
mmc0 is current device
SD/MMC found on device 0
reading uEnv.txt
** Unable to read file uEnv.txt **
reading uImage
** Unable to read file uImage **
** File not found /boot/uImage **
Could not find uImage
U-Boot#

So adding a valid uEnv.txt and uImage might do the trick.....
 

Online KeBeNe

  • Contributor
  • Posts: 34
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #221 on: January 05, 2017, 04:52:06 pm »
 

Online KeBeNe

  • Contributor
  • Posts: 34
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #222 on: January 05, 2017, 05:01:20 pm »
KeBeNe, at this point can you still get a shell on the device?  If so I'll try to get you a set of instructions.

Thanks for the offer, I have returned my device and get a new one, I would not want to destroy the guarantee seal.

Perhaps lz1pro can briefly describe how he has made it to bring his device back to life.
 

Offline lz1pro

  • Contributor
  • Posts: 8
  • Country: bg
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #223 on: January 05, 2017, 05:52:49 pm »
In my way to restore need to access SD card slot and UART interface. So there is no possibility to access them, without manipulate the warranty sticker.
Regards,
Yanko
 

Offline fact

  • Contributor
  • Posts: 28
  • Country: nl
Re: Hack of Sigllent spectrum analyzer ssa3021X?
« Reply #224 on: January 05, 2017, 07:02:07 pm »
You could always drill a hole in the side for access. The sticker remains undamaged that way.  :)
 
The following users thanked this post: lz1pro


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf